Educause Security Discussion mailing list archives
Re: key topics to include in security awareness training materials
From: Melissa Guenther <mguenther () COX NET>
Date: Thu, 5 Feb 2009 14:37:42 -0700
I design Security Awareness CBT's and am sending the TOC for three different versions. Hope this helps Melissa CBT 1 Learning Objectives . To explain your role in information security to others . To be able to explain why it's important to read, understand and comply with the Electronic Networks Usage Policy (ENUP) . To identify ways in which you can protect information from loss, disclosure or misuse . To be able to explain how to protect and secure your working environment . To detect signs of trouble and react appropriately Modules . Company Information Security . Electronic Networks Usage Policy . Protecting Sensitive Information . Protecting Your Password . Selecting Your Password . Protecting Your Computer From Viruses . Securing E-mail . Secure Use of the Internet . Avoiding Social Engineering . Protecting Laptops & Other Portable Devices . Working at Home . Where to Get Help and Wrap Up CBT 2 Home users need to understand the basics of security: -Virus Issues -E-mail Safety -Passwords -Digital Rights -Patch Management -Firewalls and Privacy -Disaster Recovery At first glance these sound like some very complex and complicated concepts, but when they are broken down, they are really quite common sense activities. For virus issues, you need to make sure that you have an anti-virus program installed, but equally important, you need to make sure that the anti-virus program is updated quite frequently. Anti-virus signature or data files contain the new vaccinations to the latest computer viruses, worms and Trojan horse programs that were created after the original anti-virus software was released. The immunization shots you received as a child protect you from the mumps, rubella and measles, but they do nothing to protect you from the flu, anthrax, rabies or small pox. Luckily for us, updating the computer anti-virus signature files is much easier and much less painful than getting jabbed with a sharp needle. E-mail safety: taking precautions with your e-mail will help reduce the instances of computer viruses attacks. Just as you take care when opening the door to strangers, you need to take the same sort of care with opening unsolicited e-mail or spam. Since a majority of spam messages are automatically created and addressed by scripts run on computers, do not ever reply to spam, since this will give the spammers a valid e-mail address and will result in much more spam. Other considerations for e-mail have to do with attachments and links. Never open attachments unless they have been scanned by an updated anti-virus package. If you have not requested a file, be extra suspicious, since this is the most common method of spreading computer viruses. Unfortunately, it isn't even safe to click on links anymore. There are several common vulnerabilities that can compromise simple URLs. Think of your passwords as your keys. Just as you wouldn't have the same key to open every door, whether your front door, your car door or your safety deposit box. Just as key and locks have evolved into sophisticated mechanisms, your passwords need to be sophisticated as well. Just as you take reasonable care with your keys, you need to take reasonable care with your passwords. Just as you wouldn't think of taping the key to your front door to the door, you should never think to write your password down on a yellow sticky note and paste it to your monitor. When you choose a good strong password, choose a word that is at least eight characters long, avoid commonly used words, purposely misspell words, use nonsensical or made-up words, and always add numbers and special characters to your password. Avoid these common pitfalls: never use your Social Security Number, the name of a loved one, your favorite sports team, favorite hobbies, or common dictionary words. An example of a strong password could be "~Grulp00l<." Example of a bad or week password are "Mariners" or "Fluffy" since these could be easily guessed since it is well know that you hold season baseball tickets, or that your beloved pet bunny's name is Fluffy. Digital Rights or piracy means that if you are going to run software, you need to purchase that software. Civil penalties for illegal software run into the hundreds of thousands of dollars. Criminal penalties for illegal software include steep fines and jail time. Patch management is just a fancy way of saying that you need to have to install your patches in a timely manner. Just as new viruses are being released, flaws are found in the software you have installed on your computer system. Software makers periodically release software patches for everything ranging from operating systems to browsers to games. It is important to install these patches when they are released to protect your system. Firewalls protect you from the heat. In a fireplace, that firewall can protect the rest of your house. In your car, the firewall protects you from the engine heat, and provides some structural support for the car. A computer firewall performs basically the same function electronically - it protects your system from some of the heat from the Internet. Modern operating systems have integrated firewall systems and there are a number of personal firewalls available. Privacy isn't just about protecting us from identity theft, although that is defiantly one of the more high profile examples of the need to protect our personal and private information. We now have laws to protect our health information, in the form of the new HIPPA regulations. We are all aware of identity theft these days. There are TV commercials from financial institutions touting the dangers of fraud, and it seems like hardly a day goes by without a major news story featuring either a new scam or a victim who is trying to clear their good name. Some of the ways to protect your personal information include not having your Social Security Number, SSN, or your driver's license number printed on your checks. Buy a cross cut shredder and shred all documents that contain important information, such as credit card numbers, your SSN, or other related important information. Never respond to e-mails requesting your account numbers or passwords, or other similar information. The recent fires and floods that have held our collective attention serve as reminders that all households need to have a disaster recovery and contingency plan. While businesses need to be concerned with safeguarding their assets, private individuals need to create plans as well. These plans should include a complete household inventory, plans for children and pets, meeting locations, and 72-hour emergency packs should be created and reviewed frequently. In the parts of the country where there are harsh winters, emergency packs should be placed in cars as well. In many fires where people loose everything, many time the victims can't even give the insurance companies complete inventories of the household good that were lots. Copies of important documents should be stored in a safe location, such as a safety deposit box. Computer data should been frequently backed up, and a copy should be kept with your other documents. In the Workplace Workers security includes not only physical security, making sure that employees have a safe workplace, but it also includes the implementation of security policies and procedures. Some of these policies include dealing with unauthorized access, emergency preparedness and contingency planning, and dealing with pornography to prevent sexual harassment incidents. Workplace violence also needs to be addressed because servers and laptops are easily replaced, the knowledge and experience your workers hold are much more valuable. All companies have proprietary information whether you are Coca-Cola or the Federal Government. As a member of the management team, protecting these trade secrets are part of your responsibility. It is incumbent upon you to make sure your security team is well funded and well trained. The reception area is the first line in defense for many companies, and as such they need to add to the basic users' skill set: Physical security concerns itself with such things as doors, locks, guards, identification badges and other similar physical barriers. The reception area is really the fist line of defense for physical security and social engineering issues. Social Engineering refers to people bluffing their way past security checkpoints, whether they are calling and impersonating someone with authority, or impersonating a maintenance worker in order to gain physical access to secured areas. Always verify the identification of all visitors, and never give out sensitive information over the phone without positively verifying the identity of the caller. Management Needs The "why" of security is different than the "how" of security. It is important that Management has an understanding of security issues so that they can make good management choices. Management is not only responsible for the security of their facility, but most importantly, they are also responsible for the security of their workers. Executive Needs When security works, nothing seems to happen. All too often this makes security teams a target for the budget ax, since they are a cost center instead of a revenue generating entity. While the payroll department does not generate any revenue, very few companies would go without a mechanism to pay workers. We have all heard of anecdotes where senior management personnel are not even capable of reading their own e-mail, let alone remembering their own passwords. Such tasks are deemed to beneath their notice or abilities or station. If you had an off-shore bank account that was worth millions of dollars, would you be bothered to remember that password? The security of your company deserves no less attention or care. When executives travel, they often take their laptops with them. These laptops are a target of thieves, not so much for the intrinsic value of the hardware. The real target is the information contained on those laptops. Executives are privy to company secrets; some of those secrets could be very damaging to their company if that information is made public. This information could be financial information, product information, or even corporate e-mails that could be very damaging if they fell into the wrong hands. Make sure that as part of your security policies and procedures you cover laptop security. The Gramm-Leach-Bliley Act http://www.ftc.gov/privacy/glbact/ "The Financial Modernization Act of 1999, also known as the "Gramm-Leach-Bliley Act" or GLB Act, includes provisions to protect consumers' personal financial information held by financial institutions. There are three principal parts to the privacy requirements: the Financial Privacy Rule, Safeguards Rule and pretexting provisions. " Modules include: Pornography: Pornography is problematic for several reasons. In a business setting, pornography can result in sexual harassment lawsuits being filed if a company does not have the policies and countermeasures in place to restrict this activity. From a technical perspective, pornographic sites are often laden with various viruses, worm, or trojan horse programs. Additionally, hacker sites often use porn pop-up adds to generate funds to support their site. These pop-ups can literally generate more instances of your browser than your system can handle. Coding issues: If your organization has any responsibility for writing or maintaining computer code, then it is important that your development staff understands and implement measures to write secure code. One of the most common security holes that could be eliminated is the buffer overflow, which exists solely because of bad programming practices. E-mail safety: taking precautions with your e-mail will help reduce the instances of computer viruses attacks. Just as you take care when opening the door to strangers, you need to take the same sort of care with opening unsolicited e-mail or spam. Since a majority of spam messages are automatically created and addressed by scripts run on computers, do not ever reply to spam, since this will give the spammers a valid e-mail address and will result in much more spam. Other considerations for e-mail have to do with attachments and links. Never open attachments unless they have been scanned by an updated anti-virus package. If you have not requested a file, be extra suspicious, since this is the most common method of spreading computer viruses. Unfortunately, it isn't even safe to click on links anymore. There are several common vulnerabilities that can compromise simple URLs. Networks: Network security is more than just making sure that the routers are locked down. In a global sense it means securing every node on your network. This includes workstation security: anti-virus packages, spam filters, software licenses, and other similar considerations. Networks need to have firewalls, intrusion detection systems (IDS), and other similar systems installed. If there are outside connections that need to be maintained, then things such as virtual private networks (VPNs), remote access servers, wireless connectivity issues, and other similar measures need to be taken. Passwords: Think of your passwords as your keys. Just as you wouldn't have the same key to open every door, whether your front door, your car door or your safety deposit box. Just as key and locks have evolved into sophisticated mechanisms, your passwords need to be sophisticated as well. Just as you take reasonable care with your keys, you need to take reasonable care with your passwords. Just as you wouldn't think of taping the key to your front door to the door, you should never think to write your password down on a yellow sticky note and paste it to your monitor. When you choose a good strong password, choose a word that is at least eight characters long, avoid commonly used words, purposely misspell words, use nonsensical or made-up words, and always add numbers and special characters to your password. Avoid these common pitfalls: never use your Social Security Number, the name of a loved one, your favorite sports team, favorite hobbies, or common dictionary words. An example of a strong password could be "~Grulp00l<." Example of a bad or week password are "Mariners" or "Fluffy" since these could be easily guessed since it is well know that you hold season baseball tickets, or that your beloved pet bunny's name is Fluffy. Physical Security: Physical security concerns itself with such things as doors, locks, guards, identification badges and other similar physical barriers. WiFi use: WiFi use Short for wireless fidelity and is meant to be used generically when referring of any type of 802.11network whether 802.11b, 802.11a, dual-band, etc. Webopedia.com http://www.pcwebopedia.com/TERM/W/Wi_Fi.html Wireless networks can be problematic for several reasons. Users have been known to bring in wireless hubs from home and install them in the corporate setting. Unfortunately, when this happens, the network administrators and security personal effectively lose all control of their network, since rogue network points are by definition uncontrollable. If a wireless network is set up incorrectly, it will make available the entire network to anyone passing or driving by your site. This means that your entire network, including all the proprietary information, such as payroll, is now visible to the world. Cell phones: Cell phones: As cell phones become more sophisticated, they are starting in some instances to be small computers in their own right. Some have the capability of PDAs, while other phones are starting to integrate digital cameras. There is some concern with these new phones that they can be used to break the law, especially voyeurism laws. Keep in mind that these phones can be used to take photographs of sensitive areas and documents as well as snap pictures of happy puppies. There is some anecdotal evidence that text messaging is being used to facilitate cheating in schools. PDAs: Personal Digital Assistants, like cell phones, seem to be ubitqueous these days. While they are very handy little devices, they can be used to cause damage to a company if not properly accounted for, since they can be used to remove restricted data from a company. If your company permits the use of PDAs, one of the policies that covers them should include language that restricts the PDA from being synchronized on multiple computers. If the PDA is used for business purposes, then it should only contain business applications and data. Additional consideration for PDAs is to be aware that there are viruses written for specific PDA platforms. Also, PDAs have wireless capabilities, whether they have 802.11 capabilities or infrared beaming abilities. Spam: unsolicited e-mail is called spam. Since a majority of spam messages are automatically created and addressed by scripts run on computers, do not ever reply to spam, since this will give the spammers a valid e-mail address and will result in much more spam. Not only is spam annoying, but it can clog a company's e-mails servers, and it is also a known virus injection method. Patch Management: Patch management is just a fancy way of saying that you need to have to install your patches in a timely manner. Just as new viruses are being released, flaws are found in the software you have installed on your computer system. Software makers periodically release software patches for everything ranging from operating systems to browsers to games. It is important to install these patches when they are released to protect your system. DRM: Digital Rights: Digital Rights or piracy means that if you are going to run software, you need to purchase that software. Civil penalties for illegal software run into the hundreds of thousands of dollars. Criminal penalties for illegal software include steep fines and jail time. HIPPA: National Standards to Protect the Privacy of Personal Health Information http://www.hhs.gov/ocr/hipaa/ These recently enacted rules are safeguards to protect your personal and private health information. All healthcare providers and insurance companies are required to comply with various safeguards and countermeasures to protect patient information. Biometrics:Biometrics: This group of technology solutions uses personal characteristics to verify your identity. It can either be based on a physical measurement, of say your fingerprint, or a particular behavior such as your typing pattern or the way you walk. For more information, please see the following sites: BioAPI Consortium http://bioapi.org/ The National Institute of Standards and Technology's (NIST) site is The Biometrics Resourced Center Website http://www.itl.nist.gov/div895/biometrics/ CBT 3 Personal Security Intelligence Gathering (Social Engineering) Identity Theft Clean Desk Policy Document Disposal Parking Lot Security Violence in the Workplace Reporting Security Incidents Physical Security Building Access Rules for ID Badges PC Security Visitor Control Emergency Alerts Property Passes Telephone Fraud After Hours Access Information Security Password Construction and Management Screen Savers Internet Security Software Piracy Data Backup Email Usage Internet Usage Viruses -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Tim Cline Sent: Thursday, February 05, 2009 9:51 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] key topics to include in security awareness training materials Greetings, I wanted to send a very general email message to start a conversation on security awareness. For those of you who have something that you currently use for security awareness training and dissemination of information, whether developed in-house or third-party courseware management platform, could you send a reply and let me know what are the key topics that you are covering? Regards, Tim Cline Tim Cline ITS Security Analyst ITS Security / Information Technology Services The University of North Carolina at Chapel Hill (919) 445-9388 Tim_Cline () unc edu
Current thread:
- key topics to include in security awareness training materials Tim Cline (Feb 05)
- <Possible follow-ups>
- Re: key topics to include in security awareness training materials Roger Safian (Feb 05)
- Re: key topics to include in security awareness training materials Charles Seitz (Feb 05)
- Re: key topics to include in security awareness training materials Dave Kovarik (Feb 05)
- Re: key topics to include in security awareness training materials Dave Kovarik (Feb 05)
- Re: key topics to include in security awareness training materials David Seidl (Feb 05)
- Re: key topics to include in security awareness training materials Brian Epstein (Feb 05)
- Re: key topics to include in security awareness training materials King, Ronald A. (Feb 05)
- Re: key topics to include in security awareness training materials Donald, A. Wayne (Feb 05)
- Re: key topics to include in security awareness training materials Melissa Guenther (Feb 05)
- Re: key topics to include in security awareness training materials Adam Stone (Feb 05)
- Re: key topics to include in security awareness training materials Gary Flynn (Feb 05)
- Re: key topics to include in security awareness training materials Karl Heins (Feb 05)
- Re: key topics to include in security awareness training materials jeff murphy (Feb 05)
- Re: key topics to include in security awareness training materials Matthew Gracie (Feb 06)
- Re: key topics to include in security awareness training materials Peterman, Martin (mdp4s) (Feb 09)
- Re: key topics to include in security awareness training materials Leon DuPree (Feb 09)
- Re: key topics to include in security awareness training materials Then, Keri (Feb 09)
- Re: key topics to include in security awareness training materials Peterman, Martin (mdp4s) (Feb 09)
- Re: key topics to include in security awareness training materials mcoyle (Feb 10)
(Thread continues...)